1. Field
The following description relates to a Distributed Denial of Service (DDoS) attack detection technology, and more particularly, to an apparatus and method for reducing false-positive when a router of an Internet Protocol (IP) network detects the DDoS attack.
2. Description of the Related Art
Distributed Denial of Service (DDoS) attack is an attempt to make a specific server unavailable to provide services by allowing multiple computers to simultaneously operate. In order to attack a specific server, a hacker deploys a tool for DDoS attack in multiple computers and generates a great amount of traffic that is hard for a target server to handle such that the target server can no longer provide its intended services.
The DDoS attack is classified into a network bandwidth attack, which consumes all of limited bandwidth to interrupt normal service, and a system resource exhaustion attack, which exhausts the CPU and the memory of a server or network equipment to hinder services.
Currently, the DDoS attack is taken on the online game providers, financial companies, government organization, etc. through various manners. Against such a DDoS attack, DDoS prevention equipment is used. The DDoS prevention is achieved by using an Access Control List (ACL), performing Drop on packets, which are determined as DDoS attack, or using exclusive security equipment. The best way to prevent the DDoS attack is to use inline process security equipment. However, the security equipment needs to have a speed exceeding the network line rate, and resources of the security equipment also need to endure the DDoS attack, thereby increasing the expense for building the security equipment.
In this regard, a router needs to mitigate the network traffic to some degree. However, according to the conventional Drop scheme, all of the traffic directed to a target server is dropped. Accordingly, it is impossible to provide services through an external network of the target server. In addition, even if the ACL is used to respond to the DDoS attack, it is difficult to respond to it with a small number of ACLs. In addition, if the ACL is used to protect the target server against several tens of thousands attack, a great amount of work load is imposed on a server administrator.